Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Web Application Header Configuration Requirements

Ingrid

The entire header configuration (not individual errors) is analyzed for the Web Application Headers risk vector. Refer to the following configuration requirements.

  • Requirements for GOOD grade: No misconfigured headers (required or optional) are present.
  • Requirements for FAIR grade: No more than 50% distinct misconfigured headers can be present (required and optional)

For HTTP connections, no headers are graded unless Set-Cookie is defined. The finding grade defaults to NEUTRAL.

See all assessed headers or how the Web Application Headers risk vector is assessed.

The Web Application Headers (WAH) risk vector was replaced with Web Application Security (WAS) in the RAU25 and will be deprecated. WAH is now a non-graded risk vector and is assigned with an N/A grade.

HTTP Downgrade

The following errors downgrade the response from HTTPS to HTTP:

  • 200 responses
  • 30X responses
  • 401 responses

See HTTP downgrade finding messages.

HTTP 1.1 (HTTPS)

Response Description
200

We validate that no hyperlinks in the HTML for the web page downgrade the user inside the site and the domain of the site.

We also validate and ensure the HTML of the webpage does not import resources (such as scripts and images) from outside the site using HTTP instead of HTTPS.

The finding is graded BAD if these resources are present.
30x (301, 302, 307) Any HTTPS finding that immediately downgrades the user to an HTTP connection using a redirect is graded as BAD.

HTTP 1.0 (HTTPS)

Response Description
200

We validate that no hyperlinks in the HTML for the web page downgrade the user inside the site and the domain of the site.

We also validate and ensure the HTML of the webpage does not import resources (such as scripts and images) from outside the site using HTTP instead of HTTPS.

The finding is graded BAD if these resources are present.
30x (302, 307) Any HTTPS finding that immediately downgrades the user to an HTTP connection using a redirect is graded as BAD.
  • October 14, 2025: WAH non-graded.
  • August 16, 2024: Published.

Related articles

Feedback

1 comment

Date Votes
  • Mladen Prekrat

    Hi Ingrid,

    the links in the table “Header Requirements for Transfer Protocols” are currently invalid, as the referenced pages do not exist. Please update these links accordingly.

    Br, Mladen

    0

Please sign in to leave a comment.